[TYPO3] weird url injection

[Bernd Wilke]

--
www.bernd-wilke.net
"Debora" <MimeFly at gmail.com> schrieb im Newsbeitrag
news:mailman.1.1175768606.16648.typo3-english at lists.netfielders.de...
> Hi all,
>
> To my horror I noticed that someone has been trying to hack my website
(TYPO3 4.0.5,PHP 5.1.6 -> both being upgraded today). My site is
multilingual and I always upgrade extensions by default. I also clear all
cache at the start of each day manually...
>
> What's the problem:
> - The urls (both internal and external and inside google!) have this added
to it:
>       ...      "?ref=Fuckonly.com" ...
> - It does not 'do' anything (thank the gods), the pages are being
displayed normally but with that annoying reference, but I DO NOT want to be
affiliated with a p*rn site whatsoever!!!
>
> The temporary "solution" ??
> - I have no idea ... but I have cleared all cache and temp directories and
it 'seems' to be gone for now. Luckily the only DB tables 'affected' are the
statistics modules, which have logged everything of course...

you only can clear FE-Cache

> I have looked into the statistics and it seems to have happened for the
first time around 16/17 march 2007. Always from different IP addresses. But
what strikes me, is that the most affected language is Chinese(Simpl.) and
just one or two URL's in Spanish/English... It seems to be a PHP problem,
but I really don't now IF it's TYPO3 or PHP or both...

it is a cache-problem, so every page and its parameter are cached, as far as
the cache is rebuild once a day, the first call to your pages may store
these strange paramters to the links from that page. (especially if those
paramters are defined in  "config.linkVars")

> So what I would like to know, has this been a hack attempt ? Or a script
kiddie? Or a spambot of some sort ?? Cause I have no idea...

I think it might be a try to hijack your site for  Cross-site scripting  or
SQL-injection (see wikipedia)

> Does anyone know how to prevent this from happening again ?

I like to know too

Bernd